In the furious debate around Chinese influence peddling and spying in Australia, there's been one large omission: WeChat.

The Chinese social media platform, messaging app, payments channel and retailer is the dominant digital player on the mainland and its creator, the Hong-Kong listed Tencent, is among the world's 10 largest companies with a market value of more than $US500 billion ($640 billion).

But for all Tencent's financial muscle, WeChat has deep and well documented security flaws.

Nigel Phair, from the Centre for Internet Safety at the University of Canberra, says WeChat users should be concerned about how their metadata could be shared with Chinese authorities. Bloomberg

These issues should have been part of the conversation during last year's debate about Chinese interference and surveillance in Australia, but were largely overlooked.

WeChat is relevant because anyone interacting with Chinese people or doing business on the mainland must have the app.

Advertisement

It is literally the digital gateway to China and used by more than 800 million people for everything from transmitting legal advice and investment opportunities to arranging a dinner and swapping contact details.

To engage with China and not have WeChat is beyond impossible. Such a reliance on WeChat is accentuated because the likes of WhatsApp and Facebook Messenger are blocked in China.

So let's consider the evidence compiled against WeChat and why it could be used for surveillance and peddling influence not only within China, but also outside its borders.

In an October 2016 report, Amnesty International looked at the effectiveness of the encryption systems used by 11 global technology players and in doing so ranked WeChat last.

And not by a small amount.

'Censorship and surveillance'

In coming to its conclusion Amnesty noted WeChat did not provide end-to-end encryption – the gold standard for privacy – left open the possibility its messaging system could be accessed via a "back door" and did not publish transparency reports on government requests for information.

To be fair to WeChat and its parent Tencent, the report noted any of these privacy measures would have been "legally and politically very difficult" given "China's laws and regulations strictly control the internet".

That said, it concluded WeChat was subject to both "censorship and surveillance".

And this does not just apply to those living in China.

"China has effectively extended its oversight of the internet outside its borders," says Fergus Ryan, a cyber security analyst at the Australian Strategic Policy Institute in Canberra.

"Tencent [WeChat's parent] will always comply with every request for information from Chinese authorities."

As Ryan sees it, this is the key difference between Tencent and the likes of Apple and Facebook.

While the US government has at times sought information from the tech giants, these requests have been disclosed and in the case of Apple resisted through the courts.

Advertisement

"China does not have the same level of judicial oversight as the US telcos and others around the world," says Ryan, who has previously worked in China.

This means people should fully expect that nothing they say on WeChat is private.

'Surveilling my private messages'

The Financial Times' China-based tech correspondent, Yuan Yang, confirmed as much last month when recalling a conversation she'd had with immigration police during which they had inadvertently referred to private messages she had sent.

"Does he [the officer] realise he saw that by surveilling my private messages and not on my public [WeChat] feed," she said on Twitter.

This lack of privacy and the potential for Chinese apps to contain spyware or malicious ware was behind a decision in December by the Indian Defence Ministry to ban serving personnel from having WeChat and other similar services on their phones.

"Use of these apps by our force personnel can be detrimental to data security having implications on the force and national security," the Ministry said in a memo obtained by the Indian Express newspaper.

Serving personnel were instructed to delete WeChat and 41 other apps with links to China.

Advertisement

Privacy top priority

In response to questions by The Australian Financial Review, Tencent denied it condoned or allowed the use of spyware and said privacy and data protection were its top priority.

It added that since 2014, Tencent had been endorsed by US internet privacy company TRUSTe and that it only provided information to law enforcement agencies "when legally compelled to do so".

It should be noted that TRUSTe has been sanctioned by the Federal Trade Commission for deceiving consumers and Nigel Phair from the Centre for Internet Safety at the University of Canberra said in China Tencent was always compelled to hand over information to authorities.

But he said the bigger issue for users was not just the lack of privacy for WeChat messages, but how a users' metadata could be shared with Chinese authorities.

"Metadata reveals far more about your habits than any messages you send," he said.

Mr Phair said it was also "possible" WeChat's app could be used as a backdoor to access a users' phone.

And although Tencent denies it has violated users' privacy, one recent case would suggest otherwise.

Advertisement

In September last year, a Beijing man was sentenced to nine months' jail for a joke he made about Islamic State in a WeChat group.

Although other countries have jailed people for joking about terrorism online, the issue was that Zhang's comment was not made on a public forum but in a private group.

His messages were later tendered in court and used to convict him.

Authorities 'sneak around' data

"There are enough cases like this and other evidence to suggest Chinese authorities are able to dip into WeChat data and sneak around," said Ryan from ASPI.

"Tencent and [Chinese internet giant] Alibaba are collecting a tonne of information for their own commercial use, but this also dovetails nicely with what the Communist Party wants."

This leaves many Australians with an age-old China dilemma – is the price of engaging with the country worth what may have to be given up?

The dilemma is made all the more difficult as business, media, academic and government delegations are often asked to download WeChat when they first arrive in China by their local handlers, so the group can stay in touch.

Advertisement

In addition, WeChat is pushing into Australia through its payments function, which allows Chinese tourists to shop on holidays as they do at home.

It is convenient and familiar, but raises some big questions about how data collected in Australia might be used later.

At an individual level there is also the anxiety of not knowing if downloading the WeChat app may inadvertently allow others to access your phone.

"One solution is to have two phones, knowing that one of these is potentially compromised," said Ryan.

Angus Grigg was a China correspondent for the Financial Review from 2012 to 2017.